2efa2eb53f3c58f9f734419b978e553728ec0a05450da29249c6f577a296928d

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEAS2efa2eb53f3c58f9f734419b978e553728ec0a05450da29249c6f577a296928ddllexe_JC.dll
Size

70KB
MD5

3000e8f3c4a66e99ee4ac244476ecf7f
SHA1

825b6db45f89b3fec1527fb262bd93c9cd073652
SHA256

2efa2eb53f3c58f9f734419b978e553728ec0a05450da29249c6f577a296928d
SHA512

6396860c31a581baf0243d095b5c292982973a0488d0c253a479369e0edca0c345634694a64f826e3ab9e977314ac3e31d62a57e47d89e7828d252a5c2d0159c
SSDEEP

768:G407txg6CVX762AORxFGPRDEEOsx3n+79Namb3GluLrXCS32da1NzBoFsxHv5rMx:Gd7TGAgFqoQn+mmTCuL7zNzBl55rw3

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2504	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2804	8zb1783goC.exe

Loads dropped DLL 4 IoCs

pid	Process
2504	rundll32.exe
2504	rundll32.exe
2504	rundll32.exe
2504	rundll32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000146dc-16.dat	upx
behavioral1/files/0x000b0000000146dc-26.dat	upx
behavioral1/files/0x000b0000000146dc-30.dat	upx
behavioral1/files/0x000b0000000146dc-24.dat	upx
behavioral1/files/0x000b0000000146dc-21.dat	upx
behavioral1/files/0x000b0000000146dc-17.dat	upx
behavioral1/memory/2804-31-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/2804-69-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	rundll32.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe
2804	8zb1783goC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	8zb1783goC.exe
2804	8zb1783goC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2504	1228	rundll32.exe	28
PID 1228 wrote to memory of 2504	1228	rundll32.exe	28
PID 1228 wrote to memory of 2504	1228	rundll32.exe	28
PID 1228 wrote to memory of 2504	1228	rundll32.exe	28
PID 1228 wrote to memory of 2504	1228	rundll32.exe	28
PID 1228 wrote to memory of 2504	1228	rundll32.exe	28
PID 1228 wrote to memory of 2504	1228	rundll32.exe	28
PID 2504 wrote to memory of 2804	2504	rundll32.exe	30
PID 2504 wrote to memory of 2804	2504	rundll32.exe	30
PID 2504 wrote to memory of 2804	2504	rundll32.exe	30
PID 2504 wrote to memory of 2804	2504	rundll32.exe	30
PID 2504 wrote to memory of 2804	2504	rundll32.exe	30
PID 2504 wrote to memory of 2804	2504	rundll32.exe	30
PID 2504 wrote to memory of 2804	2504	rundll32.exe	30
PID 2804 wrote to memory of 1576	2804	8zb1783goC.exe	31
PID 2804 wrote to memory of 1576	2804	8zb1783goC.exe	31
PID 2804 wrote to memory of 1576	2804	8zb1783goC.exe	31
PID 2804 wrote to memory of 1576	2804	8zb1783goC.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2efa2eb53f3c58f9f734419b978e553728ec0a05450da29249c6f577a296928ddllexe_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2efa2eb53f3c58f9f734419b978e553728ec0a05450da29249c6f577a296928ddllexe_JC.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Roaming\8zb1783goC.exe
    "C:\Users\Admin\AppData\Roaming\8zb1783goC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\xxxx.ini
      4⤵
      PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Admin\AppData\Roaming\8zb1783goC.dat

Filesize
132KB

MD5
de62636b582806805921862c3c9f0a74

SHA1
8b93a386be91b2bcf515a72853b1561e0ae32df6

SHA256
049844486ad7568ea151398f554525f1424afdcf9536961abcfe4ca7c4538d77

SHA512
39e046fda9d4593617017a2425b9e154b2368ab4404c497bbef7d1d6a7839acc8a99800ebd9abbefe53528e202b2f9cea1bb4f9f4685e34e4dbec4eef8b61963

Download Submit
C:\Users\Admin\AppData\Roaming\8zb1783goC.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
C:\Users\Admin\AppData\Roaming\8zb1783goC.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
C:\Users\Admin\AppData\Roaming\Edge.jpg

Filesize
358KB

MD5
252533604747811c91b648c0d63a5895

SHA1
0e50ebf1d30305a3781c480cc10c23818dea9c78

SHA256
c58e7c48c20189922d4fa6c5ca81ad3dc5b87398c8aa439087d275cb28754649

SHA512
e4e8067cfbded001faf55e93244d5aec165625f7dc74743568c9b7b8cddf3c332bc607187900700a0827c6248d7e613e20240e068d18cfddd992236e37746e80

Download Submit
C:\Users\Admin\AppData\Roaming\edge.xml

Filesize
53KB

MD5
ef18deb631d7b6cc9a29ebfda550c464

SHA1
c1aa207ad8407ba86cbf8389c42209680be9a76b

SHA256
ff427ea800e38975ae2966f864a01d3200daeda6ec11b66ae0c42f0b5eb84fa0

SHA512
b107a2eef35c08c0b1aba4755a5524b630bfd241e7ee965527250f349fa31805872899fa28a3d674c707a23ffefc09ead592f60cfc762433cbfad89c8ea9c1e0

Download Submit
\Users\Admin\AppData\Roaming\8zb1783goC.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
\Users\Admin\AppData\Roaming\8zb1783goC.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
\Users\Admin\AppData\Roaming\8zb1783goC.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
\Users\Admin\AppData\Roaming\8zb1783goC.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
memory/2504-29-0x0000000002EE0000-0x000000000301F000-memory.dmp

Filesize
1.2MB

Download
memory/2504-28-0x0000000002EE0000-0x000000000301F000-memory.dmp

Filesize
1.2MB

Download
memory/2804-31-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2804-55-0x00000000032E0000-0x00000000032F2000-memory.dmp

Filesize
72KB

Download
memory/2804-53-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2804-58-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/2804-69-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download